IDS mailing list archives
Re: RES: Honeytokens and detection
From: "Stephen P. Berry" <spb () meshuggeneh net>
Date: Fri, 11 Apr 2003 16:48:20 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Augusto Paes de Barros writes:
One of my favourite ones is the bogus administrator/root user with null password. Did anyone already try something with these?
Yeah, about a half dozen years ago. At the time, the exploit du jour used a field separator bug in an installed-by-default CGI script. Probably test-cgi, printenv or something like that, but I don't really recall. Anyway, the most common variant used said bug to cat /etc/passwd. So I wrote a little replacement that emulated the behaviour of the vulnerable script and responded with a bogus passwd file. The root passwd was a dictionary word. The machine running the web server didn't allow telnet at all, but I used Wiete Venema's tcp_wrappers to respond to connection requests on port 23 with a banner that said something like: Sorry, inbound telnet connections are not currently allowed from domain foo.com. Please contact admin@target_server.net if you feel this is an error. ...where foo.com was the domain of the originating connection, and www.target_server.net was the web server. So the typical scenario would play out like this: 0860758276.297376 host.foo.com.12345 > www.target_server.net.80 ... 0860759296.003735 host.foo.com.34272 > www.target_server.net.23 ... 0860759304.576054 dialin.bar.com.34275 > www.target_server.net.23 ... 0860759309.262021 www.baz.net.34278 > www.target_server.net.23 ... ...and so on. If you're actually interested in tracking the evildoer down, you can't -buy- intelligence that good. And he just gave it away for free. Morals of the story: -Always give the bad guy a chance to tell you about himself -`Honeytoken' is a cool catchphrase, but the idea's been around a long time - -spb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (OpenBSD) iD8DBQE+l1QKG3kIaxeRZl8RAhRaAJ9y2QCztlaX5XtWAoutmw2UspvFKwCgiNHL HLNeNUx5lUZW1l0tr/aTPh8= =whK9 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids
Current thread:
- RES: Honeytokens and detection Augusto Paes de Barros (Apr 11)
- Re: RES: Honeytokens and detection Stephen P. Berry (Apr 14)
- <Possible follow-ups>
- RES: Honeytokens and detection Augusto Paes de Barros (Apr 15)